Safety Review and Approval Processes

The safety review and approval processes are necessary for new avionics, procedures, ground hardware or software, and airspace changes implemented in the US Air Transportation System [176]. Proving that a solution is safe can be a lengthy and difficult process requiring a substantial amount of resources, effort, and iterations. It is technically difficult to prove that a change to a system as complex as air transportation will be safe. A large amount of analysis may be necessary in order to sufficiently prove that a system meets required safety performance, and in many cases (such as the implementation of ADS-B (CA14), ITWS (CA17), and TDWR (SA2)) limited operational implementations are used to understand safety consequences.

Figure 8-4 shows a simplified version of the approval process that occurs during implementa-tion [135]. The approval process begins with an initial concept of operaimplementa-tions to improve the system. Airborne components, ground-based infrastructure, and the air/ground interface and procedures all have to be approved separately. This approval process is closely connected to developing the details of a solution. As approval proceeds, standards for all components are developed and additional requirements identified and refined. Finally, significant coordination between different stakeholders involved in the approval process is necessary. Within the FAA, the Air Traffic Organization is responsible for the performance of the air traffic control system, and the Aviation Safety organization evaluates aircraft certification and changes to flight and operating rules. In the safety analysis process, technical expertise is also often required from air traffic controllers, aircraft operators, and other users of the system.

The safety review and approval process is necessary in order to ensure the safety of the system.

However, the complexities associated with carrying out such processes can introduce substan-tial delays and uncertainty into the transition process. An example where implementation was delayed due to certification includes the implementation of EGPWS (SA1). Delays are

Figure 8-4: Simplified Safety Certification and Approval Processes [135]. Figure courtesy of Roland Weibel.

caused by a number of factors including:

1. Requirements stability: Because standards are developed before certification of proce-dures, there is significant uncertainty in potential costs of recertification or re-equipage if, for example, the avionics installed by early adopters are later deemed inadequate. As a result, stakeholders may wait for requirements to become clear and stable. Changing requirements occurred in cases such as the implementation of in-situ radar to address microburst accidents (SA2), the implementation of TCAS (SA3), and ADS-B (CA14).

2. Varying criticality levels: A given transition may affect multiple areas of the system and may in fact be used in different applications as the technologies involved evolve.

These applications may require different levels of safety certification. For example, if a service is initially only advisory, it may be subject to less critical evaluation. However, if it becomes the primary mechanism, it will then require a critical services level of certification. Confusion as to future applications may lead to confusion about the appropriate level of certification that must be applied.

3. Establishing equivalent versus target levels of safety: Assessing changes to a target level of safety is significantly more difficult because it is performed to an absolute instead of relative standard [135].

Of the three items enumerated above the second two only pertain to one case study analyzed in this work (ADS-B). Although only one case has encountered these problems they are pointed out here because ADS-B is a first step in many planned and fundamentally new changes in the Air Transportation System. As a result, subsequent applications build on ADS-B and other planned system transitions may encounter similar obstacles. If currently planned transitions are to succeed understanding potential barriers they will encounter is key.

Example of Implementation Barriers in the Case of ADS-B

The case of ADS-B provides an example where the approval of applications based on ADS-B poses a significant source of uncertainty to realizing future benefits. Potential operational capabilities of ADS-B, such as reduced separation, will require operational approval by the FAA before benefits can be realized. Because the approval process is complex there is uncertainty surrounding which applications will be approved and when that approval will be granted. In particular, unstable requirements, differing criticality levels, and certifying to equivalent vs. target levels of safety create uncertainty [135]. These uncertainties affect the NPV calculated during the cost benefit analysis and significantly contribute to operators’

hesitancy to equip with ADS-B.

Requirements Stability This problem occurred during the development of DO-260, which is the Minimum Operational Performance Standards (MOPS) for the 1090 MHz extended squitter (1090ES) [177]. Early avionics based on the DO-260 standard allowed for the use of either of two potential measures of position uncertainty. During later revisions of the standards, only one of these measures was determined to be acceptable for use in ATC separation. As a result, the installation of ADS-B avionics in individual aircraft must be

modified to use the approved method of broadcasting position uncertainty. [178]

Varying Criticality Levels Initially planned ADS-B applications require a essential ser-vices level of certification. However, a number of planned future applications, such as self-separation, will require a critical services level of certification. Critical services must meet a higher system availability requirement and a have lower probability of failure. Because of the different levels of criticality for current and future ADS-B applications, there is a concern that current airborne specification of the system may not be sufficient to support future uses. If this occurs, additional standards in equipage would be needed requiring a new round of safety certification and approval.

Equivalent versus Target Levels of Safety As currently specified, ADS-B will be a re-placement surveillance source for current radar separation procedures. As a result, the use of ADS-B can be certified using an equivalent level of safety approach. This approach requires demonstration that ADS-B performs equivalent to current surveillance sources. Such approval is easier to achieve than performing an analysis to a target level of safety. However, reduction in separation standards requires an assessment to a target level of safety before procedures can be approved [179].